Re: [DNSOP] Call for Adoption: draft-kh-dnsop-7706bis

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 25 July 2018 00:08 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E34130E2E for <dnsop@ietfa.amsl.com>; Tue, 24 Jul 2018 17:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTGYvzsOcDro for <dnsop@ietfa.amsl.com>; Tue, 24 Jul 2018 17:08:22 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F189130E04 for <dnsop@ietf.org>; Tue, 24 Jul 2018 17:08:22 -0700 (PDT)
Received: from [10.32.60.71] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w6P082aN046638 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 24 Jul 2018 17:08:06 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.71]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Paul Wouters" <paul@nohats.ca>
Cc: dnsop <dnsop@ietf.org>
Date: Tue, 24 Jul 2018 17:08:16 -0700
X-Mailer: MailMate (1.11.3r5509)
Message-ID: <74E9278C-8C32-481C-AFB5-36EDB4150DDC@vpnc.org>
In-Reply-To: <alpine.LRH.2.21.1807241332220.19044@bofh.nohats.ca>
References: <CADyWQ+H_xqXyOPOaiAgu=PW8UwT-zX=0zRm3A20V9jbnHocDXw@mail.gmail.com> <alpine.LRH.2.21.1807241332220.19044@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QPhQGk3Oc76PQLm1nwb2rC4GZtw>
Subject: Re: [DNSOP] Call for Adoption: draft-kh-dnsop-7706bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 00:08:25 -0000

On 24 Jul 2018, at 10:35, Paul Wouters wrote:

> While I agree with the goal of the draft, to keep root server queries 
> on
> the local host, I don't like how it is suggesting to run a DNS server 
> on
> localhost:53, because that is going to cause problems with running
> validating resolvers on the stub. There is already enough racy
> conditions on systems with virtual machines and running dhcp/dns 
> servers
> for those that are racing to own 127.0.0.1:53

If you find a place where the draft is suggesting that, please let us 
know: it should not be doing that. That's why the draft explicitly 
states:

. . .
    2.  Start the authoritative server with the root zone on an address
        on the host that is not in use.  For IPv4, this could be
        127.0.0.1, but if that address is in use, any address in 127/8 
is
        acceptable.  For IPv6, this would be ::1.
. . .
    The examples here use a loopback address of 127.12.12.12, but 
typical
    installations will use 127.0.0.1.  The different address is used in
    order to emphasize that the root server does not need to be on the
    device at the name "localhost" which is often locally served as
    127.0.0.1.
. . .

> But again, having a well integrated method for slaving the root zone 
> on
> a local validating stub resolver is something that everyone should do
> (along with query minimalization)

Hopefully, that's a recommendation for adoption of the draft.

--Paul Hoffman